Need for Security Experts Outstrips Supply

Need for Security Experts Outstrips Supply

Article excerpt

Proposed Cyber Corps May Help, But Few Schools Offer Training

After February's spate of attacks on the nation's most popular commercial and educational computer networks, President Bill Clinton answered calls for more security by pledging more than $1.4 billion toward better electronic protection, including $10 million to create a "cyber corps" of trained defenders.

But those in charge of providing that security say that as the Internet grows exponentially every day, it leaves fewer and fewer qualified experts behind to keep it running, much less keep it secure from attackers.

The problem, experts say, is two-fold--there are few who are interested and capable enough for the complex task, and even fewer educational programs to teach them the skills they need. About 50 people graduate each year with a degree in electronic security from less than 10 programs nationwide, Corey Schou, assistant dean for information systems at Idaho State University, said.

And the number of positions that require people with these skills? "On the order of tens of thousands," he said.

The federal funding, if approved by Congress later this year, would provide scholarships for students interested in computer security or "information assurance," in the jargon of the field.

Students at certified programs will be eligible for funding toward their degree, up to a possible full-ride for two years of their studies. Lesser amounts, for summer study, for example, will also be available. In exchange, participating students will be asked to give one year of service to the federal government.

The goal of the program would be to graduate as many as 300 security majors each year, said John Cherniavsky, a senior adviser at the National Science Foundation, who will be administering the program.

"The field is fairly sparsely populated," he said. "There are not a whole lot of people doing research in this area and not a lot of programs. The goal is to create a cadre of folks who can go out into the federal sector and then the private sector, with expertise in information assurance."

Each year, about 35,000 computer-science majors graduate, but many do not take courses in security, and few take more than one course, Cherniavsky said. And system security is much more complex than basic technology. For example, many of the nation's computer networks are built on Unix systems that are decades old, which means that system administrators can't just be knowledgeable about the latest technology--they need to know about loopholes and problems that may have been embedded in a system from its installation in 1978.

In addition, very few schools have programs in electronic security. The National Security Administration has certified only seven universities that meet the federal government's requirements for a comprehensive course of study in electronic security. These "centers of excellence" in information assurance, which were named last year, are: Purdue University in West Lafayette, Ind.; James Madison University in Harrisonburg, Va.; George Mason in Fairfax, Va.; University of California at Davis; University of Idaho in Moscow; Idaho State University in Pocatello; and Iowa State University in Ames. A handful of other programs, such as the one offered at Carnegie-Mellon University in Pittsburgh, also meet the requirements but haven't yet applied for certification, Cherniavsky said.

The funding will be given out to the students individually, as scholarships, and officials hope the very existence of funding will increase the number of schools providing the training. …